b'                                                                                       Report No. AUD-07-010\n                                                                                              September 2007\n\n\n                                       Division of Resolutions and Receiverships\n                                       Protection of Electronic Records\n                                       Results of Audit\nBackground and Purpose\nof Audit                               DRR established a number of important controls to safeguard the\n                                       sensitive electronic information it collects and maintains as a result of\nKey to achieving the FDIC\xe2\x80\x99s            resolution and receivership activities at FDIC-insured financial\nmission of maintaining stability       institutions. Such controls include policies, guidelines, and business\nand public confidence in the           rules for protecting sensitive electronic information and an Information\nnation\xe2\x80\x99s financial system is           Security Manager to promote compliance with FDIC and DRR security\nsafeguarding the sensitive             policies, procedures, and guidelines. However, access to sensitive\ninformation it collects when           resolution and receivership information (including PII) stored on the\nconducting resolution and              FDIC\xe2\x80\x99s internal network was not adequately protected. In addition,\nreceivership activities at FDIC-       sensitive information stored on portable information technology\ninsured financial institutions. Such\n                                       equipment was not encrypted as prescribed by FDIC policy and DRR\ninformation includes, for example,\nreports on potential financial         guidelines. Further, DRR\xe2\x80\x99s guidelines for safeguarding sensitive\ninstitution failures and sensitive     information did not address e-mail communications. These deficiencies\npersonally identifiable information    increased the risk of unauthorized use of sensitive information.\n(PII) for institution depositors,\nborrowers, and employees.              Recommendations and Management Response\n\nMuch of the sensitive information      DRR and Division of Information Technology (DIT) security officials\nhandled by the FDIC falls within       took prompt action to restrict access to the vulnerable sensitive\nthe scope of several statutes and      information that we identified during the audit and were taking\nregulations intended to protect        additional steps to safeguard sensitive resolution and receivership\nsuch information from                  information at the close of our audit. The report contains four\nunauthorized disclosure. These\n                                       recommendations addressed to the DRR Director to implement\nstatutes and regulations include the\nPrivacy Act of 1974; the Federal\n                                       appropriate security control measures to address the security control\nInformation Security Management        deficiencies referenced above. The DRR Director concurred with all\nAct of 2002; and the FDIC\xe2\x80\x99s Rules      four recommendations.\nand Regulations--Parts 309,\nDisclosure of Information, and         This report addresses issues associated with information security.\n310, Privacy Act Regulations.          Accordingly, we do not intend to make public release of the specific\n                                       contents of the report.\nThe audit objective was to evaluate\nthe design and implementation of\nselected controls established by the\nDivision of Resolutions and\nReceiverships (DRR) for\nsafeguarding sensitive electronic\ninformation collected and\nmaintained as a result of resolution\nand receivership activities at\nFDIC-insured financial\ninstitutions.\n\x0c'